Merge branch 'master' of https://github.com/MicrosoftDocs/windows-docs-pr into minorchange

devices/surface-hub/TOC.md

@@ -43,6 +43,7 @@
 ## Support
 ### [Recover and reset Surface Hub 2S](surface-hub-2s-recover-reset.md)
 ### [Troubleshoot Miracast on Surface Hub](miracast-troubleshooting.md)
+### [How to pack and ship your Surface Hub 2S for service](surface-hub-2s-pack-components.md)
 ### [Change history](surface-hub-2s-change-history.md)
 
 # Surface Hub

devices/surface-hub/surface-hub-2s-pack-components.md

@@ -0,0 +1,90 @@
+---
+title: "How to pack and ship your Surface Hub 2S for service"
+description: "Instructions for packing Surface Hub 2S components, replacing the Compute cartridge, and replacing the camera"
+keywords: pack, replace components, camera, compute cartridge
+ms.prod: surface-hub
+ms.sitesec: library
+author: Teresa-Motiv
+ms.author: v-tea
+audience: Admin
+ms.topic: article
+ms.date: 07/1/2019
+ms.localizationpriority: Normal
+---
+
+# How to pack and ship your Surface Hub 2S for service
+
+If you replace your Surface Hub 2S, one of its components, or a related accessory, use the instructions in this article when you pack the device for shipment. 
+
+>[!IMPORTANT]  
+>When packing your device for shipment, make sure that you use the packaging in which your replacement device arrived.  
+
+This article contains the following procedures:
+
+- [How to pack your Surface Hub 2S 55”](#how-to-pack-your-surface-hub-2s-55)  
+- [How to replace and pack your Surface Hub 2S Compute Cartridge](#how-to-replace-and-pack-your-surface-hub-2s-compute-cartridge)  
+- [How to replace your Surface Hub 2S Camera](#how-to-replace-your-surface-hub-2s-camera)  
+
+## How to pack your Surface Hub 2S 55”
+
+Use the following steps to pack your Surface Hub 2S 55" for shipment.
+
+![The Surface Hub unit and mobile stand.](images/surface-hub-2s-repack-1.png)
+
+![Remove the pen and the camera. Do not pack them with the unit.](images/surface-hub-2s-repack-2.png)
+
+![Remove the drive and the power cable. Do not pack them with the unit.](images/surface-hub-2s-repack-3.png)
+
+![Do not pack the Setup guide with the unit.](images/surface-hub-2s-repack-4.png)
+
+![Unplug all cables, slide the cover sideways, and unscrew the locking screw of the Compute Cartridge.](images/surface-hub-2s-repack-5.png)
+
+![Slide the Compute Cartridge out of the unit.](images/surface-hub-2s-repack-6.png)
+
+![You will need the Compute Cartridge and a screwdriver.](images/surface-hub-2s-repack-7.png)
+
+![Remove the cover screw and the cover from the Compute Cartridge, and then remove the solid state drive (SSD).](images/surface-hub-2s-repack-8.png)
+
+![Replace the cover and slide the Compute Cartridge back into the unit.](images/surface-hub-2s-repack-9.png)
+
+![Re-fasten the locking screw and slide the cover into place.](images/surface-hub-2s-repack-10.png)
+
+![Remove any base or mounting hardware. Using two people, place the unit in the base of the shipping container.](images/surface-hub-2s-repack-11.png)
+
+![Replace the cover of the shipping container, and insert the four clips.](images/surface-hub-2s-repack-12.png)
+
+![Close the four clips.](images/surface-hub-2s-repack-13.png)
+
+## How to replace and pack your Surface Hub 2S Compute Cartridge
+
+Use the following steps to remove the Surface Hub 2S Compute Cartridge, pack it for shipment, and install the new Compute Cartridge.
+
+![Image of the compute cartridge.](images/surface-hub-2s-replace-cartridge-1.png)
+
+![Unplug all cables, slide the cover sideways, and unscrew the locking screw of the Compute Cartridge.](images/surface-hub-2s-replace-cartridge-2.png)
+
+![Slide the Compute Cartridge out of the unit.](images/surface-hub-2s-replace-cartridge-3.png)
+
+![You will need the Compute Cartridge and a screwdriver.](images/surface-hub-2s-replace-cartridge-4.png)
+
+![Remove the cover screw and the cover from the Compute Cartridge, and then remove the solid state drive (SSD). When finished, replace the cover.](images/surface-hub-2s-repack-8.png)
+
+![You will need the packaging fixtures that were used to package your replacement Compute Cartridge.](images/surface-hub-2s-replace-cartridge-6.png)
+
+![Place the old Compute Cartridge in the packaging fixtures.](images/surface-hub-2s-replace-cartridge-7.png)
+
+![Place the old Compute Cartridge and its packaging into the box that was used for the replacement Compute Cartridge. Reseal the box.](images/surface-hub-2s-replace-cartridge-8.png)
+
+![Image of the replacement Compute Cartridge.](images/surface-hub-2s-replace-cartridge-1.png)
+
+![Slide the replacement Compute Cartridge into the unit.](images/surface-hub-2s-replace-cartridge-9.png)
+
+![Fasten the locking screw and slide the cover into place.](images/surface-hub-2s-replace-cartridge-10.png)
+
+## How to replace your Surface Hub 2S Camera
+
+Use the following steps to remove the Surface Hub 2S camera and install the new camera.
+
+![You will need the new camera and the two-millimeter allen wrench](images/surface-hub-2s-replace-camera-1.png)
+
+![Unplug the old camera from the unit. If needed, use the allen wrench to adjust the new camera. Plug the new camera into the unit.](images/surface-hub-2s-replace-camera-2.png)

windows/release-information/status-windows-10-1903.yml

@@ -70,7 +70,7 @@ sections:
       <tr><td><div id='455msg'></div><b>Loss of functionality in Dynabook Smartphone Link app</b><br>After updating to Windows 10, version 1903, you may experience a loss of functionality when using the Dynabook Smartphone Link application.<br><br><a href = '#455msgdesc'>See details ></a></td><td>OS Build 18362.116<br><br>May 20, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>May 24, 2019 <br>03:10 PM PT</td></tr>
       <tr><td><div id='448msg'></div><b>Display brightness may not respond to adjustments</b><br>Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers.<br><br><a href = '#448msgdesc'>See details ></a></td><td>OS Build 18362.116<br><br>May 21, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>May 21, 2019 <br>04:47 PM PT</td></tr>
       <tr><td><div id='433msg'></div><b>Audio not working with Dolby Atmos headphones and home theater </b><br>Users may experience audio loss with Dolby Atmos headphones or Dolby Atmos home theater.<br><br><a href = '#433msgdesc'>See details ></a></td><td>OS Build 18362.116<br><br>May 21, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Investigating<br><a href = '' target='_blank'></a></td><td>May 21, 2019 <br>07:17 AM PT</td></tr>
-      <tr><td><div id='521msg'></div><b>RASMAN service may stop working and result in the error “0xc0000005”</b><br>Remote Access Connection Manager (RASMAN) service may stop working and result in the error “0xc0000005” with VPN profiles configured as an Always On VPN (AOVPN) connection.<br><br><a href = '#521msgdesc'>See details ></a></td><td>OS Build 18362.145<br><br>May 29, 2019<br><a href ='https://support.microsoft.com/help/4497935' target='_blank'>KB4497935</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>June 28, 2019 <br>05:01 PM PT</td></tr>
+      <tr><td><div id='522msg'></div><b>RASMAN service may stop working and result in the error “0xc0000005”</b><br>The Remote Access Connection Manager (RASMAN) service may stop working and result in the error “0xc0000005” with VPN profiles configured as an Always On VPN connection.<br><br><a href = '#522msgdesc'>See details ></a></td><td>OS Build 18362.145<br><br>May 29, 2019<br><a href ='https://support.microsoft.com/help/4497935' target='_blank'>KB4497935</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>July 01, 2019 <br>05:04 PM PT</td></tr>
       <tr><td><div id='490msg'></div><b>Error attempting to update with external USB device or memory card attached </b><br>PCs with an external USB device or SD memory card attached may get error: \"This PC can't be upgraded to Windows 10.\"<br><br><a href = '#490msgdesc'>See details ></a></td><td>OS Build 18362.116<br><br>May 21, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>June 11, 2019 <br>12:34 PM PT</td></tr>
       <tr><td><div id='454msg'></div><b>Gamma ramps, color profiles, and night light settings do not apply in some cases</b><br>Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.<br><br><a href = '#454msgdesc'>See details ></a></td><td>OS Build 18362.116<br><br>May 21, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>May 24, 2019 <br>11:02 AM PT</td></tr>
       <tr><td><div id='450msg'></div><b>Unable to discover or connect to Bluetooth devices</b><br>Microsoft has identified compatibility issues with some versions of Realtek and Qualcomm Bluetooth radio drivers.<br><br><a href = '#450msgdesc'>See details ></a></td><td>OS Build 18362.116<br><br>May 21, 2019<br><a href ='https://support.microsoft.com/help/4505057' target='_blank'>KB4505057</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>May 21, 2019 <br>04:48 PM PT</td></tr>
@@ -97,7 +97,7 @@ sections:
   - type: markdown
     text: "
       <table border ='0'><tr><td width='65%'>Details</td><td width='15%'>Originating update</td><td width='10%'>Status</td><td width='10%'>History</td></tr>
-      <tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='521msgdesc'></div><b>RASMAN service may stop working and result in the error “0xc0000005”</b><div>The Remote Access Connection Manager (RASMAN) service may stop working and you may receive the error “0xc0000005” when devices are manually configured to the non-default telemetry setting of 0. You may also receive an error in the<strong> Application section </strong>of <strong>Windows Logs</strong> <strong>in</strong>&nbsp;<strong>Event Viewer&nbsp;</strong>with Event ID 1000 referencing “svchost.exe_RasMan” and “rasman.dll”.</div><div><br></div><div>This issue only occurs when a VPN profile is configured as an Always On VPN (AOVPN) connection with or without device tunnel. This does not affect manual only VPN profiles or connections.</div><div><br></div><div><strong>Affected platforms</strong></div><ul><li>Client: Windows 10, version 1903</li></ul><div></div><div> <strong>Workaround: </strong>To mitigate this issue, use one of the steps below, either the group policy step or the registry step, to configure one of the default telemetry settings:</div><div><br></div><div>Set the value for the following group policy settings:</div><ol><li>Group Policy Path: Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Allow Telemetry</li><li>Safe Policy Setting: Enabled and set to 1 (Basic) or 2 (Enhanced) or 3 (Full) </li></ol><div><br></div><div>Or set the following registry value:</div><p class=\"ql-indent-1\">SubKey: HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection</div><p class=\"ql-indent-1\">Setting: AllowTelemetry</div><p class=\"ql-indent-1\">Type: REG_DWORD</div><p class=\"ql-indent-1\">Value: 1, 2 or 3</div><div><br></div><div><strong>Note</strong> You may need to restart the Remote Access Connection Manager service after setting the Group Policy or registry key.</div><div><br></div><div><strong>Next Steps:</strong> We are working on a resolution and will provide an update in an upcoming release.</div><br><a href ='#521msg'>Back to top</a></td><td>OS Build 18362.145<br><br>May 29, 2019<br><a href ='https://support.microsoft.com/help/4497935' target='_blank'>KB4497935</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>Last updated:<br>June 28, 2019 <br>05:01 PM PT<br><br>Opened:<br>June 28, 2019 <br>05:01 PM PT</td></tr>
+      <tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='522msgdesc'></div><b>RASMAN service may stop working and result in the error “0xc0000005”</b><div>The Remote Access Connection Manager (RASMAN) service may stop working and you may receive the error “0xc0000005” on devices where the diagnostic data level is manually configured to the non-default setting of 0.&nbsp;You may also receive an error in the<strong> Application section </strong>of <strong>Windows Logs</strong> <strong>in</strong>&nbsp;<strong>Event Viewer&nbsp;</strong>with Event ID 1000 referencing “svchost.exe_RasMan” and “rasman.dll”.</div><div><br></div><div>This issue only occurs when a VPN profile is configured as an Always On VPN (AOVPN) connection with or without device tunnel. This does not affect manual only VPN profiles or connections.</div><div><br></div><div><strong>Affected platforms</strong></div><ul><li>Client: Windows 10, version 1903</li></ul><div></div><div><strong>Workaround: </strong>To mitigate this issue, use one of the steps below, either the group policy step or the registry step, to configure one of the default telemetry settings:</div><div><br></div><div>Set the value for the following group policy settings:</div><ol><li>Group Policy Path: Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\Allow Telemetry</li><li>Safe Policy Setting: Enabled and set to 1 (Basic) or 2 (Enhanced) or 3 (Full)</li></ol><div><br></div><div>Or set the following registry value:</div><p class=\"ql-indent-1\">SubKey: HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection</div><p class=\"ql-indent-1\">Setting: AllowTelemetry</div><p class=\"ql-indent-1\">Type: REG_DWORD</div><p class=\"ql-indent-1\">Value: 1, 2 or 3</div><div><br></div><div><strong>Note</strong>&nbsp;If the Remote Access Connection Manager service is not running after setting the Group Policy or registry key, you will need to manually start the service or restart the device.</div><div><br></div><div><strong>Next Steps:</strong> We are working on a resolution and estimate a solution will be available in late July.</div><br><a href ='#522msg'>Back to top</a></td><td>OS Build 18362.145<br><br>May 29, 2019<br><a href ='https://support.microsoft.com/help/4497935' target='_blank'>KB4497935</a></td><td>Mitigated<br><a href = '' target='_blank'></a></td><td>Last updated:<br>July 01, 2019 <br>05:04 PM PT<br><br>Opened:<br>June 28, 2019 <br>05:01 PM PT</td></tr>
       <tr><td style='border-left-width:1px;border-right-width:1px;border-bottom-width:1px;'><div id='519msgdesc'></div><b>Event Viewer may close or you may receive an error when using Custom Views</b><div>When trying to expand, view, or create&nbsp;<strong>Custom Views&nbsp;</strong>in Event Viewer, you may receive the error, \"MMC has detected an error in a snap-in and will unload it.\" and the app may stop responding or close. You may also receive the same error when using&nbsp;<strong>Filter Current Log</strong>&nbsp;in the&nbsp;<strong>Action&nbsp;</strong>menu with built-in views or logs. Built-in views and other features of Event Viewer should work as expected.</div><div><br></div><div><strong>Affected platforms:</strong></div><ul><li>Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1</li><li>Server: Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2</li></ul><div></div><div><strong>Resolution:</strong>&nbsp;This issue was resolved in <a href='https://support.microsoft.com/help/4501375' target='_blank'>KB4501375</a>.</div><br><a href ='#519msg'>Back to top</a></td><td>OS Build 18362.175<br><br>June 11, 2019<br><a href ='https://support.microsoft.com/help/4503293' target='_blank'>KB4503293</a></td><td>Resolved<br><a href = 'https://support.microsoft.com/help/4501375' target='_blank'>KB4501375</a></td><td>Resolved:<br>June 27, 2019 <br>10:00 AM PT<br><br>Opened:<br>June 12, 2019 <br>11:11 AM PT</td></tr>
       </table>
       "

windows/release-information/windows-message-center.yml

@@ -50,6 +50,9 @@ sections:
     text: "
       <table border ='0'><tr><td width='80%'>Message</td><td width='20%'>Date</td></tr>
       
+      <tr><td><a href = 'https://blogs.windows.com/windowsexperience/2019/07/01/evolving-windows-10-servicing-and-quality-the-next-steps/' target='_blank'><b>Evolving Windows 10 servicing and quality</b></a><br><div>Find out how we plan to further optimize the delivery of the next Windows 10 feature update for devices running Windows 10, version 1903. If you're a commercial customer, please see the <a href='https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Moving-to-the-next-Windows-10-feature-update-for-commercial/ba-p/732968' target='_blank'>Windows IT Pro Blog</a> for more details on how to plan for this new update option in your environment.</div></td><td>July 01, 2019 <br>02:00 PM PT</td></tr>
+      <tr><td><a href = '' target='_blank'><b>Windows 10, version 1903 starting to roll out to devices running Windows 10, version 1803 and earlier</b></a><br><div>We are now beginning to build and train the machine learning (ML) based rollout process to update devices running Windows 10, version 1803 (the April 2018 Update) and earlier versions of Windows 10, to ensure we can continue to service these devices and provide the latest updates, security updates, and improvements.</div></td><td>June 18, 2019 <br>02:00 PM PT</td></tr>
+      <tr><td><a href = '' target='_blank'><b>Windows 10, version 1903 available by selecting “Check for updates”</b></a><br><div>Windows 10, version 1903 is now available for any user who manually selects “Check for updates” via Windows Update. The recommended servicing status is Semi-Annual Channel.</div></td><td>June 06, 2019 <br>06:00 PM PT</td></tr>
       <tr><td><a href = 'https://blogs.windows.com/windowsexperience/2019/05/21/how-to-get-the-windows-10-may-2019-update/#1P75kJB6T5OhySyo.97' target='_blank'><b>Windows 10, version 1903 rollout begins</b></a><br>The Windows 10 May 2019 Update (Windows 10, version 1903) is available today to commercial customers via Windows Server Update Services (WSUS), Windows Update for Business, and the Volume Licensing Service Center (VLSC)—and to end users who manually select “Check for updates.” We are slowly throttling up availability while we carefully monitor data and feedback.</td><td>May 21, 2019 <br>10:00 AM PT</td></tr>
       <tr><td><a href = 'https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-in-Windows-Update-for-Business-in-Windows-10-version/ba-p/622064' target='_blank'><b>What’s new in Windows Update for Business</b></a><br>We are enhancing and expanding the capabilities of Windows Update for Business to make the move to the cloud even easier. From simplified branch readiness options to better control over deadlines and reboots, read about the enhancements to Windows Update for Business as a part of Windows 10, version 1903. </td><td>May 21, 2019 <br>10:00 AM PT</td></tr>
       <tr><td><a href = 'https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-new-for-IT-pros-in-Windows-10-version-1903/ba-p/622024' target='_blank'><b>What’s new for businesses and IT pros in Windows 10</b></a><br>Explore the newest capabilities for businesses and IT in the latest feature update in the areas of intelligent security, simplified updates, flexible management, and enhanced productivity. </td><td>May 21, 2019 <br>10:00 AM PT</td></tr>

windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md

@@ -1,26 +1,26 @@
 ---
-title: Device Guard is the combination of Windows Defender Application Control and virtualization-based protection of code integrity (Windows 10)
-description: Device Guard consists of both hardware and software system integrity hardening capabilites that can be deployed separately or in combination.
-keywords: virtualization, security, malware
+title: Windows Defender Application Control and virtualization-based protection of code integrity (Windows 10)
+description: Hardware and software system integrity hardening capabilites that can be deployed separately or in combination.
+keywords: virtualization, security, malware, device guard
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 author: dansimp
-ms.date: 09/07/2018
+ms.date: 07/01/2019
 ms.reviewer: 
 manager: dansimp
 ms.author: dansimp
 ---
 
-# Device Guard: Windows Defender Application Control and virtualization-based protection of code integrity
+# Windows Defender Application Control and virtualization-based protection of code integrity
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks through the use of virtualization-based protection of code integrity (more specifically, HVCI). 
+Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows 10 systems so they operate with many of the properties of mobile devices. In this configuration, specific technologies work together to restrict devices to only run authorized apps by using a feature called configurable code integrity, while simultaneously hardening the OS against kernel memory attacks through the use of virtualization-based protection of code integrity (more specifically, HVCI). 
 
-Configurable code integrity policies and HVCI are very powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a very strong protection capability for Windows 10 devices. This combined "configuration state" of configurable code integrity and HVCI has been referred to as Windows Defender Device Guard. 
+Configurable code integrity policies and HVCI are very powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a very strong protection capability for Windows 10 devices.  
 
 Using configurable code integrity to restrict devices to only authorized apps has these advantages over other solutions:
 
@@ -29,28 +29,22 @@ Using configurable code integrity to restrict devices to only authorized apps ha
 3. Customers can protect the configurable code integrity policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker with administrative privilege, or malicious software that managed to gain administrative privilege, to alter the application control policy. 
 4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is significantly diminished. Why is this relevant? That’s because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable code integrity or any other application control solution.
 
-## (Re-)Introducing Windows Defender Application Control
+## Windows Defender Application Control
 
-When we originally designed the configuration state that we have referred to as Windows Defender Device Guard, we did so with a specific security promise in mind. Although there were no direct dependencies between the two main OS features of the Device Guard configuration, configurable code integrity and HVCI, we intentionally focused our discussion around the Device Guard lockdown state you achieve when deploying them together. 
+When we originally designed this configuration state, we did so with a specific security promise in mind. Although there were no direct dependencies between configurable code integrity and HVCI, we intentionally focused our discussion around the lockdown state you achieve when deploying them together. However, given that HVCI relies on Windows virtualization-based security, it comes with additional hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet. As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldn’t use configurable code integrity either. 
 
-However, the use of the term Device Guard to describe this configuration state has unintentionally left an impression for many IT professionals that the two features were inexorably linked and could not be deployed separately. 
-Additionally, given that HVCI relies on Windows virtualization-based security, it comes with additional hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet. 
-
-As a result, many IT Professionals assumed that because some systems couldn't use HVCI, they couldn’t use configurable code integrity either. 
-But configurable code integrity carries no specific hardware or software requirements other than running Windows 10, which means many IT professionals were wrongly denied the benefits of this powerful application control capability.
+Configurable code integrity carries no specific hardware or software requirements other than running Windows 10, which means many IT professionals were wrongly denied the benefits of this powerful application control capability.
 
 Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we are discussing and documenting configurable code integrity as a independent technology within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control). 
 We hope this change will help us better communicate options for adopting application control within an organization.
 
-Does this mean Windows Defender Device Guard configuration state is going away? Not at all. The term Device Guard will continue to be used as a way to describe the fully locked down state achieved through the use of Windows Defender Application Control (WDAC), HVCI, and hardware and firmware security features. It also allows us to work with our OEM partners to identify specifications for devices that are “Device Guard capable” so that our joint customers can easily purchase devices that meet all of the hardware and firmware requirements of the original "Device Guard" locked down scenario for Windows 10 based devices.
-
 ## Related topics
 
 [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control)
 
-[Dropping the Hammer Down on Malware Threats with Windows 10’s Windows Defender Device Guard](https://channel9.msdn.com/Events/Ignite/2015/BRK2336)
+[Dropping the Hammer Down on Malware Threats with Windows 10’s Windows Defender](https://channel9.msdn.com/Events/Ignite/2015/BRK2336)
 
-[Driver compatibility with Windows Defender Device Guard in Windows 10](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10)
+[Driver compatibility with Windows Defender in Windows 10](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10)
 
 [Code integrity](https://technet.microsoft.com/library/dd348642.aspx)
 

windows/security/threat-protection/microsoft-defender-atp/TOC.md

@@ -70,9 +70,6 @@
 ###### [Remove file from blocked list](respond-file-alerts.md#remove-file-from-blocked-list)
 ###### [Check activity details in Action center](respond-file-alerts.md#check-activity-details-in-action-center)
 ###### [Deep analysis](respond-file-alerts.md#deep-analysis)
-###### [Submit files for analysis](respond-file-alerts.md#submit-files-for-analysis)
-###### [View deep analysis reports](respond-file-alerts.md#view-deep-analysis-reports)
-###### [Troubleshoot deep analysis](respond-file-alerts.md#troubleshoot-deep-analysis)
 
 
 ##### [Investigate entities using Live response](live-response.md)
@@ -356,6 +353,11 @@
 #### Interoperability
 ##### [Partner applications](partner-applications.md)
 
+#### [Manage machine configuration](configure-machines.md)
+##### [Monitor and increase machine onboarding](configure-machines-onboarding.md)
+##### [Increase compliance to the security baseline](configure-machines-security-baseline.md)
+##### [Optimize ASR rule deployment and detections](configure-machines-asr.md)
+
 #### Role-based access control
 ##### [Manage portal access using RBAC](rbac.md)
 ###### [Create and manage roles](user-roles.md)

windows/security/threat-protection/microsoft-defender-atp/advanced-features.md

@@ -29,9 +29,11 @@ Depending on the Microsoft security products that you use, some advanced feature
 Use the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations:
 
 ## Automated investigation
+
 When you enable this feature, you'll be able to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigations](automated-investigations.md).
 
 ## Live response
+
 When you enable this feature, users with the appropriate permissions can initiate a live response session on machines.
 
 For more information on role assignments see, [Create and manage roles](user-roles.md).
@@ -39,8 +41,8 @@ For more information on role assignments see, [Create and manage roles](user-rol
 ## Live response unsigned script execution
 Enabling this feature allows you to run unsigned scripts in a live response session.
 
-
 ## Auto-resolve remediated alerts
+
 For tenants created on or after Windows 10, version 1809 the automated investigations capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated".  If you don’t want to have alerts auto-resolved, you’ll need to manually turn off the feature.
 
 >[!TIP]
@@ -50,14 +52,28 @@ For tenants created on or after Windows 10, version 1809 the automated investiga
 > - The result of the auto-resolve action may influence the Machine risk level calculation which is based on the active alerts found on a machine.  
 >- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overwrite it.
 
-
 ## Block file
-This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware solution and that the cloud-based protection feature is enabled, see [Block files in your network](respond-file-alerts.md#block-files-in-your-network) for more details.
 
-If your organization satisfies these conditions, the feature is enabled by default. This feature enables you to block potentially malicious files in your network. This operation will prevent it from being read, written, or executed on machines in your organization.
+Blocking is only available if your organization uses Windows Defender Antivirus as the active antimalware solution, and if the cloud-based protection feature is enabled.
+
+This feature enables you to block potentially malicious files in your network. Blocking a file will prevent it from being read, written, or executed on machines in your organization.
+
+To turn **Block or allow** files on:
+
+1. In the navigation pane, select **Settings** > **Advanced features** > **Allow or block file**.
+
+1. Toggle the setting between **On** and **Off**.
+
+    ![Image of advanced settings for block file feature](images/atp-preferences-setup.png)
+
+1. Select **Save preferences** at the bottom of the page.
+
+Once you have enabled this feature, you can [block files](respond-file-alerts.md#allow-or-block-file) via the **Add Indicator** tab on a file's profile page.
 
 ## Show user details
+
 When you enable this feature, you'll be able to see user details stored in Azure Active Directory including a user's picture, name, title, and department information  when investigating user account entities. You can find user account information in the following views:
+
 - Security operations dashboard
 - Alert queue
 - Machine details page
@@ -65,20 +81,21 @@ When you enable this feature, you'll be able to see user details stored in Azure
 For more information, see [Investigate a user account](investigate-user.md).
 
 ## Skype for Business integration
+
 Enabling the Skype for Business integration gives you the ability to communicate with users using Skype for Business, email, or phone. This can be handy when you need to communicate with the user and mitigate risks.
 
 >[!NOTE]
 > When a machine is being isolated from the network, there's a pop-up where you can choose to enable Outlook and Skype communications which allows communications to the user while they are disconnected from the network. This setting applies to Skype and Outlook communication when machines are in isolation mode.
 
-
 ## Azure Advanced Threat Protection integration
-The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the machine-based investigation capability by pivoting across the network from an identify point of view.
 
+The integration with Azure Advanced Threat Protection allows you to pivot directly into another Microsoft Identity security product. Azure Advanced Threat Protection augments an investigation with additional insights about a suspected compromised account and related resources. By enabling this feature, you'll enrich the machine-based investigation capability by pivoting across the network from an identify point of view.
 
 >[!NOTE]
 >You'll need to have the appropriate license to enable this feature.
 
 ### Enable the Microsoft Defender ATP integration from the Azure ATP portal
+
 To receive contextual machine integration in Azure ATP, you'll also need to enable the feature in the Azure ATP portal.
 
 1. Login to the [Azure portal](https://portal.atp.azure.com/) with a Global Administrator or Security Administrator role.
@@ -90,6 +107,7 @@ To receive contextual machine integration in Azure ATP, you'll also need to enab
 When you complete the integration steps on both portals, you'll be able to see relevant alerts in the machine details or user details page.
 
 ## Office 365 Threat Intelligence connection
+
 This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page.
 
 When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into Microsoft Defender Security Center to conduct a holistic security investigation across Office 365 mailboxes and Windows machines.
@@ -100,22 +118,25 @@ When you enable this feature, you'll be able to incorporate data from Office 365
 To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Microsoft Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512).
 
 ## Microsoft Threat Experts
+
 Out of the two Microsoft Threat Expert components, targeted attack notification is in general availability, while  experts-on-demand capability is still in preview. You can only use the experts-on-demand capability if you have applied for preview and your application has been approved. You can receive targeted attack notifications from Microsoft Threat Experts through your Microsoft Defender ATP portal's alerts dashboard and via email if you configure it.
 
 >[!NOTE]
 >The Microsoft Threat Experts capability in Microsoft Defender ATP is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security).
 
 ## Microsoft Cloud App Security
+
 Enabling this setting forwards Microsoft Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data.
 
 >[!NOTE]
 >This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later.
 
 ## Azure Information Protection
+
 Turning this setting on forwards signals to Azure Information Protection, giving data owners and administrators visibility into protected data on onboarded machines and machine risk ratings.
 
-
 ## Microsoft Intune connection
+
 This feature is only available if you have an active Microsoft Intune (Intune) license.
 
 When you enable this feature, you'll be able to share Microsoft Defender ATP device information to Intune and enhance policy enforcement.
@@ -123,18 +144,20 @@ When you enable this feature, you'll be able to share Microsoft Defender ATP dev
 >[!NOTE]
 >You'll need to enable the integration on both Intune and Microsoft Defender ATP to use this feature.
 
-
 ## Preview features
+
 Learn about new features in the Microsoft Defender ATP preview release and be among the first to try upcoming features by turning on the preview experience.
 
 You'll have access to upcoming features which you can provide feedback on to help improve the overall experience before features are generally available.
 
 ## Enable advanced features
+
 1. In the navigation pane, select **Preferences setup** > **Advanced features**.
 2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**.
 3. Click **Save preferences**.
 
 ## Related topics
+
 - [Update data retention settings](data-retention-settings.md)
 - [Configure alert notifications](configure-email-notifications.md)
 - [Enable and create Power BI reports using Microsoft Defender ATP data](powerbi-reports.md)

windows/security/threat-protection/microsoft-defender-atp/advanced-hunting.md

@@ -23,7 +23,7 @@ ms.date: 08/15/2018
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink)
 
 
-To get you started in querying your data, you can use the basic or Advanced query examples that have some preloaded queries for you to understand the basic query syntax.
+To get you started in querying your data, you can use the Basic or Advanced query examples, which have some preloaded queries to help you understand the basic query syntax.
 
 ![Image of Advanced hunting window](images/atp-advanced-hunting.png)
 
@@ -151,6 +151,3 @@ Check out the [Advanced hunting repository](https://github.com/Microsoft/Windows
 ## Related topic
 - [Advanced hunting reference](advanced-hunting-reference.md)
 - [Advanced hunting query language best practices](advanced-hunting-best-practices.md)
-
-
-

windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md

@@ -93,6 +93,9 @@ You can choose to limit the list of alerts based on their status.
 ### Investigation state
 Corresponds to the automated investigation state.
 
+### Category
+You can choose to filter the queue to display specific types of malicious activity.
+
 ### Assigned to
 You can choose between showing alerts that are assigned to you or automation.
 

windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md

@@ -39,19 +39,19 @@ Field numbers match the numbers in the images below.
 > 
 > | Portal   label   | SIEM field name           | ArcSight field      | Example value                                                                      | Description                                                                                                                                                                    |
 > |------------------|---------------------------|---------------------|------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-> | 1                | AlertTitle                | name                | A dll was unexpectedly loaded into   a high integrity process without a UAC prompt | Value available for every alert.                                                                                                                                               |
-> | 2                | Severity                  | deviceSeverity      | Medium                                                                             | Value available for every alert.                                                                                                                                               |
-> | 3                | Category                  | deviceEventCategory | Privilege Escalation                                                               | Value available for every alert.                                                                                                                                               |
-> | 4                | Source                    | sourceServiceName   | WindowsDefenderATP                                                                 | Windows Defender Antivirus or   Microsoft Defender ATP. Value available for every alert.                                                                                         |
-> | 5                | MachineName               | sourceHostName      | liz-bean                                                                           | Value available for every alert.                                                                                                                                               |
+> | 1                | AlertTitle                | name                | Windows Defender AV detected 'Mikatz' high-severity malware | Value available for every alert.                                                                                                                                               |
+> | 2                | Severity                  | deviceSeverity      | High                                                                             | Value available for every alert.                                                                                                                                               |
+> | 3                | Category                  | deviceEventCategory | Malware                                                               | Value available for every alert.                                                                                                                                               |
+> | 4                | Detection source                    | sourceServiceName   | Antivirus                                                                 | Windows Defender Antivirus or   Microsoft Defender ATP. Value available for every alert.                                                                                         |
+> | 5                | MachineName               | sourceHostName      | desktop-4a5ngd6                                                                           | Value available for every alert.                                                                                                                                               |
 > | 6                | FileName                  | fileName            | Robocopy.exe                                                                       | Available for alerts associated   with a file or process.                                                                                                                      |
 > | 7                | FilePath                  | filePath            | C:\Windows\System32\Robocopy.exe                                                   | Available for alerts associated   with a file or process.                                                                                                                     |
-> | 8                | UserDomain                | sourceNtDomain      | contoso                                                                            | The domain of the user context   running the activity, available for Microsoft Defender ATP behavioral based   alerts.                                                           |
-> | 9                | UserName                  | sourceUserName      | liz-bean                                                                           | The user context running the   activity, available for Microsoft Defender ATP behavioral based alerts.                                                                           |
-> | 10               | Sha1                      | fileHash            | 5b4b3985339529be3151d331395f667e1d5b7f35                                           | Available for alerts associated   with a file or process.                                                                                                                      |
-> | 11               | Md5                       | deviceCustomString5 | 55394b85cb5edddff551f6f3faa9d8eb                                                   | Available for Windows Defender AV   alerts.                                                                                                                                    |
-> | 12               | Sha256                    | deviceCustomString6 | 9987474deb9f457ece2a9533a08ec173a0986fa3aa6ac355eeba5b622e4a43f5                   | Available for Windows Defender AV   alerts.                                                                                                                                    |
-> | 13               | ThreatName                | eviceCustomString1  | Trojan:Win32/Skeeyah.A!bit                                                         | Available for Windows Defender AV   alerts.                                                                                                                                    |
+> | 8                | UserDomain                | sourceNtDomain      | CONTOSO                                                                            | The domain of the user context   running the activity, available for Microsoft Defender ATP behavioral based   alerts.                                                           |
+> | 9                | UserName                  | sourceUserName      | liz.bean                                                                           | The user context running the   activity, available for Microsoft Defender ATP behavioral based alerts.                                                                           |
+> | 10               | Sha1                      | fileHash            | 3da065e07b990034e9db7842167f70b63aa5329                                           | Available for alerts associated   with a file or process.                                                                                                                      |
+> | 11               | Sha256                    | deviceCustomString6 | ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5                   | Available for Windows Defender AV   alerts.                                                                                                                                    |
+> | 12               | Md5                       | deviceCustomString5 | db979c04a99b96d370988325bb5a8b21                                                   | Available for Windows Defender AV   alerts.                                                                                                                                    |
+> | 13               | ThreatName                | deviceCustomString1  | HackTool:Win32/Mikatz!dha                                                         | Available for Windows Defender AV   alerts.                                                                                                                                    |
 > | 14               | IpAddress                 | sourceAddress       | 218.90.204.141                                                                     | Available for alerts associated   to network events. For example, 'Communication to a malicious network   destination'.                                                        |
 > | 15               | Url                       | requestUrl          | down.esales360.cn                                                                  | Available for alerts associated to   network events. For example, 'Communication to a malicious network   destination'.                                                         |
 > | 16               | RemediationIsSuccess      | deviceCustomNumber2 | TRUE                                                                               | Available for Windows Defender AV   alerts. ArcSight value is 1 when TRUE and 0 when FALSE.                                                                                    |
@@ -60,7 +60,7 @@ Field numbers match the numbers in the images below.
 > | 19               | LinkToWDATP               | flexString1         | `https://securitycenter.windows.com/alert/636210704265059241_673569822`            | Value available for every alert.                                                                                                                                               |
 > | 20               | AlertTime                 | deviceReceiptTime   | 2017-05-07T01:56:59.3191352Z                                                       | The time the activity relevant to   the alert occurred. Value available for every alert.                                                                                       |
 > | 21               | MachineDomain             | sourceDnsDomain     | contoso.com                                                                        | Domain name not relevant for AAD   joined machines. Value available for every alert.                                                                                           |
-> | 22               | Actor                     | deviceCustomString4 |                                                                                    | Available for alerts related to a   known actor group.                                                                                                                         |
+> | 22               | Actor                     | deviceCustomString4 | BORON                                                                                   | Available for alerts related to a   known actor group.                                                                                                                         |
 > | 21+5             | ComputerDnsName           | No mapping          | liz-bean.contoso.com                                                               | The machine fully qualified   domain name. Value available for every alert.                                                                                                    |
 > |                  | LogOnUsers                | sourceUserId        | contoso\liz-bean;   contoso\jay-hardee                                             | The domain and user of the   interactive logon user/s at the time of the event. Note: For machines on   Windows 10 version 1607, the domain information will not be available. |
 > |                  | InternalIPv4List          | No mapping          | 192.168.1.7, 10.1.14.1                                                             | List of IPV4 internal IPs for active network interfaces.                                                                                                                                                                               |

windows/security/threat-protection/microsoft-defender-atp/check-sensor-status.md

@@ -25,7 +25,7 @@ ms.date: 04/24/2018
 
 >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-checksensor-abovefoldlink)
 
-The sensor health tile provides information on the individual machine’s ability to provide sensor data and communicate with the Microsoft Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
+The sensor health tile is found on the Security Operations dashboard. This tile provides information on the individual machine’s ability to provide sensor data and communicate with the Microsoft Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues.
 
 There are two status indicators on the tile that provide information on the number of machines that are not reporting properly to the service:
 - **Misconfigured** - These machines might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected.
@@ -44,7 +44,7 @@ You can filter the health state list by the following status:
 - **Inactive** - Machines that have stopped reporting to the Microsoft Defender ATP service.
 
 
-You can view the machine details when you click on a misconfigured or inactive machine. You’ll see more specific machine information when you click the information icon.
+You can view the machine details when you click on a misconfigured or inactive machine.
 
 ![Microsoft Defender ATP sensor filter](images/atp-machine-health-details.png)
 

windows/security/threat-protection/microsoft-defender-atp/configure-email-notifications.md

@@ -69,7 +69,7 @@ You can create rules that determine the machines and alert severities to send em
 
 Here's an example email notification:
 
-![Image of example email notification](images/email-notification.png)
+![Image of example email notification](images/atp-example-email-notification.png)
 
 ## Edit a notification rule
 1. Select the notification rule you'd like to edit.

windows/security/threat-protection/microsoft-defender-atp/configure-machines-asr.md

@@ -0,0 +1,55 @@
+---
+title: Optimize ASR rule deployment and detections
+description: Ensure your attack surface reduction (ASR) rules are fully deployed and optimized to effectively identify and prevent actions that are typically taken by malware during exploitation. 
+keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: procedural
+---
+
+# Optimize ASR rule deployment and detections
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](prerelease.md)]
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+
+[Attack surface reduction (ASR) rules](../windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md) identify and prevent actions that are typically taken by malware during exploitation. These rules control when and how potentially malicious code can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or block processes that run from USB drives.
+
+![Attack surface management card](images/secconmgmt_asr_card.png)<br>
+*Attack surface management card*
+
+The **Attack surface management** card is an entry point to tools in Microsoft 365 security center that you can use to:
+
+- Understand how ASR rules are currently deployed in your organization
+- Review ASR detections and identify possible incorrect detections
+- Analyze the impact of exclusions and generate the list of file paths to exclude
+
+Selecting **Go to attack surface management** takes you to **Monitoring & reports > Attack surface reduction rules > Add exclusions**. From there, you can navigate to other sections of Microsoft 365 security center.
+
+![Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 security center](images/secconmgmt_asr_m365exlusions.png)<br>
+*Add exclusions tab in the Attack surface reduction rules page in Microsoft 365 security center*
+
+>[!NOTE]
+>To access Microsoft 365 security center, you need a Microsoft 365 E3 or E5 license and an account that has certain roles on Azure Active Directory. [Read more about required licenses and permissions](https://docs.microsoft.com/office365/securitycompliance/microsoft-security-and-compliance#required-licenses-and-permissions)
+
+For more information about optimizing ASR rule deployment in Microsoft 365 security center, read [Monitor and manage ASR rule deployment and detections](https://docs.microsoft.com/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections) 
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
+
+# Related topics
+- [Ensure your machines are configured properly](configure-machines.md)
+- [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
+- [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)

windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md

@@ -0,0 +1,76 @@
+---
+title: Get machines onboarded to Microsoft Defender ATP
+description: Track onboarding of Intune-managed machines to Windows Defender ATP and increase onboarding rate.
+keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, configuration management
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: procedural
+---
+
+# Get machines onboarded to Microsoft Defender ATP
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](prerelease.md)]
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+
+Each onboarded machine adds an additional endpoint detection and response (EDR) sensor and increases visibility over breach activity in your network. Onboarding also ensures that a machine can be checked for vulnerable components as well security configuration issues and can receive critical remediation actions during attacks.
+
+## Discover and track unprotected machines
+
+The **Onboarding** card provides a high-level overview of your onboarding rate by comparing the number of Windows 10 machines that have actually onboarded to Microsoft Defender ATP against the total number of Intune-managed Windows 10 machines.
+
+![Machine configuration management Onboarding card](images/secconmgmt_onboarding_card.png)<br>
+*Card showing onboarded machines compared to the total number of Intune-managed Windows 10 machine*
+
+>[!NOTE]
+>- If you used Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles, you might encounter data discrepancies. To resolve these discrepancies, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to your machines.
+>- During preview, you might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune.
+
+## Onboard more machines with Intune profiles
+
+Microsoft Defender ATP provides several convenient options for [onboarding Windows 10 machines](onboard-configure.md). For Intune-managed machines, however, you can leverage Intune profiles to conveniently deploy the Microsoft Defender ATP sensor to select machines, effectively onboarding these devices to the service.
+
+From the **Onboarding** card, select **Onboard more machines** to create and assign a profile on Intune. The link takes you to a similar overview of your onboarding state.
+
+>[!TIP]
+>Alternatively, you can navigate to the Microsoft Defender ATP onboarding compliance page in the [Microsoft Azure portal](https://portal.azure.com/) from **All services > Intune > Device compliance > Microsoft Defender ATP**.
+
+From the overview, create a configuration profile specifically for the deployment of the Microsoft Defender ATP sensor and assign that profile to the machines you want to onboard.
+
+1. Select **Create a device configuration profile to configure ATP sensor**.
+
+   ![Microsoft Defender ATP device compliance page on Intune device management](images/secconmgmt_onboarding_1deviceconfprofile.png)<br>
+   *Microsoft Defender ATP device compliance page on Intune device management*
+
+2. Specify a name for the profile, specify desired configuration options for sample sharing and reporting frequency, and select **Create** to save the new profile.
+
+   ![Configuration profile creation screen on Intune](images/secconmgmt_onboarding_2deviceconfprofile.png)<br>
+   *Configuration profile creation*
+
+3. After creating the profile, assign it to all your machines. You can review profiles and their deployment status anytime by accessing **Device configuration > Profiles** on Intune.
+
+   ![Profile assignment screen screen on Intune](images/secconmgmt_onboarding_3assignprofile.png)<br>
+   *Assigning the new agent profile to all machines*
+
+>[!TIP]
+>To learn more about Intune profiles, read [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-profile-assign).
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
+
+# Related topics
+- [Ensure your machines are configured properly](configure-machines.md)
+- [Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md)
+- [Optimize ASR rule deployment and detections](configure-machines-asr.md)

windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline.md

@@ -0,0 +1,108 @@
+---
+title: Increase compliance to the Microsoft Defender ATP security baseline
+description: The Microsoft Defender ATP security baseline sets Microsoft Defender ATP security controls to provide optimal protection.
+keywords: Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection ASR, security baseline
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: procedural
+---
+
+# Increase compliance to the Microsoft Defender ATP security baseline
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](prerelease.md)]
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+
+Security baselines ensure that security features are configured according to guidance from both security experts and expert Windows system administrators. When deployed, the Microsoft Defender ATP security baseline sets Microsoft Defender ATP security controls to provide optimal protection.
+
+To understand security baselines and how they are assigned on Intune using configuration profiles, [read this FAQ](https://docs.microsoft.com/intune/security-baselines#q--a).
+
+## Compare the Microsoft Defender ATP and the Windows Intune security baselines
+The Windows Intune security baseline provides a comprehensive set of recommended settings needed to securely configure machines running Windows, including browser settings, PowerShell settings, as well as settings for some security features like Windows Defender Antivirus. In contrast, the Microsoft Defender ATP baseline provides settings that optimize all the security controls in the Microsoft Defender ATP stack, including settings for endpoint detection and response (EDR) as well as settings also found in the Windows Intune security baseline. For more information about each baseline, see:
+
+- [Windows security baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-windows)
+- [Microsoft Defender ATP baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-defender-atp)
+
+Both baselines are maintained so that they complement one another and have identical values for shared settings. Deploying both baselines to the same machine will not result in conflicts. Ideally, machines onboarded to Microsoft Defender ATP are deployed both baselines: the Windows Intune security baseline to initially secure Windows and then the Microsoft Defender ATP security baseline layered on top to optimally configure the Microsoft Defender ATP security controls.
+
+## Get permissions to manage security baselines in Intune
+
+By default, only users who have been assigned the Global Administrator or the Intune Service Administrator role on Azure AD can manage security baseline profiles. If you haven’t been assigned either role, work with a Global Administrator or an Intune Service Administrator to [create a custom role in Intune](https://docs.microsoft.com/intune/create-custom-role#to-create-a-custom-role) with full permissions to security baselines and then assign that role to your Azure AD group.
+
+![Security baseline permissions on Intune](images/secconmgmt_baseline_permissions.png)
+
+*Security baseline permissions on Intune*
+
+## Monitor compliance to the Microsoft Defender ATP security baseline
+
+The **Security baseline** card on [machine configuration management](configure-machines.md) provides an overview of compliance across Windows 10 machines that have been assigned the Microsoft Defender ATP security baseline.
+
+![Security baseline card](images/secconmgmt_baseline_card.png)<br>
+*Card showing compliance to the Microsoft Defender ATP security baseline*
+
+Each machine is given one of the following status types:
+
+- **Matches baseline**—machine settings match all the settings in the baseline
+- **Does not match baseline**—at least one machine setting doesn't match the baseline
+- **Misconfigured**—at least one baseline setting isn't properly configured on the machine and is in a conflict, error, or pending state
+- **Not applicable**—At least one baseline setting isn't applicable on the machine
+
+To review specific machines, select **Configure security baseline** on the card. This takes you to Intune device management. From there, select **Device status** for the names and statuses of the machines.
+
+>[!NOTE] 
+>During preview, you might encounter a few known limitations:
+>- You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune.
+>- The Microsoft Defender ATP security baseline currently doesn’t cover settings for all Microsoft Defender ATP security controls, including settings for exploit protection and Application Guard.
+
+## Review and assign the Microsoft Defender ATP security baseline
+
+Machine configuration management monitors baseline compliance only of Windows 10 machines that have been specifically assigned the Microsoft Defender ATP security baseline. You can conveniently review the baseline and assign it to machines on Intune device management.
+
+1. Select **Configure security baseline** on the **Security baseline** card to go to Intune device management. A similar overview of baseline compliance is displayed.
+
+   >[!TIP]
+   > Alternatively, you can navigate to the Microsoft Defender ATP security baseline in the Microsoft Azure portal from **All services > Intune > Device security > Security baselines (preview) > PREVIEW: Windows Defender ATP baseline**.
+
+
+2. Create a new profile.
+
+   ![Microsoft Defender ATP security baseline overview on Intune](images/secconmgmt_baseline_intuneprofile1.png)<br>
+   *Microsoft Defender ATP security baseline overview on Intune*
+
+3. During profile creation, you can review and adjust specific settings on the baseline.
+
+   ![Security baseline options during profile creation on Intune](images/secconmgmt_baseline_intuneprofile2.png)<br>
+   *Security baseline options during profile creation on Intune*
+
+4. Assign the profile to the appropriate machine group.
+
+   ![Security baseline profiles on Intune](images/secconmgmt_baseline_intuneprofile3.png)<br>
+   *Assigning the security baseline profile on Intune*
+
+5. Save the profile and deploy it to the assigned machine group.
+
+   ![Assigning the security baseline on Intune](images/secconmgmt_baseline_intuneprofile4.png)<br>
+   *Saving and deploying the security baseline profile on Intune*
+
+>[!TIP]
+>To learn more about Intune security baselines and assigning them, read [Create a Windows 10 security baseline in Intune](https://docs.microsoft.com/intune/security-baselines).
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)
+
+# Related topics
+- [Ensure your machines are configured properly](configure-machines.md)
+- [Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)
+- [Optimize ASR rule deployment and detections](configure-machines-asr.md)

windows/security/threat-protection/microsoft-defender-atp/configure-machines.md

@@ -0,0 +1,69 @@
+---
+title: Ensure your machines are configured properly
+description: Properly configure machines to boost overall resilience against threats and enhance your capability to detect and respond to attacks.
+keywords: onboard, Intune management, MDATP, WDATP, Microsoft Defender, Windows Defender, advanced threat protection, attack surface reduction, ASR, security baseline
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: lomayor
+author: lomayor
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: procedural
+---
+
+# Ensure your machines are configured properly
+
+**Applies to:**
+- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
+[!include[Prerelease information](prerelease.md)]
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-abovefoldlink)
+
+With properly configured machines, you can boost overall resilience against threats and enhance your capability to detect and respond to attacks. Security configuration management helps ensure that your machines:
+
+- Onboard to Microsoft Defender ATP
+- Meet or exceed the Microsoft Defender ATP security baseline configuration
+- Have strategic attack surface mitigations in place
+
+![Security configuration management page](images/secconmgmt_main.png)<br>
+*Machine configuration management page*
+
+You can track configuration status at an organizational level and quickly take action in response to poor onboarding coverage, compliance issues, and poorly optimized attack surface mitigations through direct, deep links to device management pages on Microsoft Intune and Microsoft 365 security center.
+
+In doing so, you benefit from:
+- Comprehensive visibility of the events on your machines
+- Robust threat intelligence and powerful machine learning technologies for processing raw events and identifying the breach activity and threat indicators
+- A full stack of security features configured to efficiently stop the installation of malicious implants, hijacking of system files and process, data exfiltration, and other threat activities
+- Optimized attack surface mitigations, maximizing strategic defenses against threat activity while minimizing impact to productivity
+
+## Enroll machines to Intune management
+
+Machine configuration management works closely with Intune device management to establish the inventory of the machines in your organization and the baseline security configuration. You will be able to track and manage configuration issues on Intune-managed Windows 10 machines.
+
+Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read [Set up enrollment for Windows devices](https://docs.microsoft.com/en-us/intune/windows-enroll).
+
+>[!TIP] 
+>To optimize machine management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/en-us/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune).
+
+>[!NOTE] 
+>During preview, you might encounter a few known limitations:
+>- You might experience discrepancies in aggregated data displayed on the machine configuration management page and those displayed on overview screens in Intune.
+>- The count of onboarded machines tracked by machine configuration management might not include machines onboarded using Security Center Configuration Manager, the onboarding script, or other onboarding methods that don’t use Intune profiles. To include these machines, create a corresponding Intune configuration profile for Microsoft Defender ATP onboarding and assign that profile to these machines.
+>- The Microsoft Defender ATP security baseline currently doesn’t cover settings for all Microsoft Defender ATP security controls, including settings for exploit protection and Application Guard.
+
+
+## In this section
+Topic | Description
+:---|:---
+[Get machines onboarded to Microsoft Defender ATP](configure-machines-onboarding.md)| Track onboarding status of Intune-managed machines and onboard more machines through Intune. 
+[Increase compliance to the Microsoft Defender ATP security baseline](configure-machines-security-baseline.md) | Track baseline compliance and noncompliance. Deploy the security baseline to more Intune-managed machines.
+[Optimize ASR rule deployment and detections](configure-machines-asr.md) | Review rule deployment and tweak detections using impact analysis tools in Microsoft 365 security center.
+
+>Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink)